Kerberos Single Sign-On on SAP BusinessObjects Mobile

Kerberos is an Authentication mechanism wherein no passwords are transmitted over the network. The server depends on a trusted ticket issued by a Ticket granting server, which the client sends in the request from the client to the server.

In order to enable Kerberos based authentication for the Mobi iOS application a few simple steps are to be done both on the iOS device and the Mobile server. Below we outline what these steps are and how they are to be done.

Supported on SAP BusinessObject Mobile 6.3 onwards(iOS only)

Supported on SAP BI Platform 4.1 (SP07 onwards) and 4.2(SP02 onwards)

(Note: This entire document is written assuming that the BI Platform is configured for Kerberos based Authentication. Kerberos SSO is supported only for normal BOE Connections from mobile. Connections involving SUP and SMP are not supported)

Configuring the WinAD Machine

Starting with iOS 10 only Constrained Credential Delegation is supported . We need to make sure the WinAD machine is configured to support the same. So if your organization has users using iOS 10 enabled devices then this step is mandatory.

A point to note is that Constrained Credential Delegation works with iOS 9 as well. So it is best to make sure you set it up even if there are no iOS 10 users.

* Open Active Directory Users and Computers.
* Choose the SAP Business Object service account. Right-click and open “properties”
* Open the “Delegation” tab from properties.

* By default option selected would be “Trust this user for delegation to any service(Kerberos only)”.Change to the 3rd option : “Trust this user for delegation to specified services only”Choose option “Use Kerberos Only “ under the above option.
Now click on “Add” button to add the specified service types.

* In the “Add Services” window, Click on button “Users or Computers”

* Enter the service account name in the text area “Enter object names to select” and click on button “Check Names”. This will add the service account name in the below format. Finish by clicking “ok”Format: service_account_name(logon name for service account)

* Click on “Select All” and “Ok”. This will choose all service types for specified “User/Computers”

* Finally “Apply” and “Ok” to apply the changes on the service account.

THE ABOVE STEPS WOULD CHANGE THE DELEGATION TO CONSTRAINED DELEGATION FOR THE SERVICE ACCOUNT)

Configuring the iOS Device

On iOS Kerberos is controlled by a configuration profile which guides iOS framework so as to how Kerberos tickets should be handled. This profile can be installed from any MDM tool. If you do not have an MDM tool then you can host the file on any application server and access the link on the safari browser. iOS will automatically detect it as a Kerberos SSO profile and will come up with the installation screen.The configuration profile should have a .mobileconfig extension. Let us look at a sample Configuration profile and check what values we are supposed to update.

This is the list of applications which are eligible to use Kerberos based Authentication. No changes are to be made here since we already have com.sap.* which includes the Mobi iOS application for which the app id is com.sap.mobi

PayloadOrganization

Your organization name.

PayloadDisplayName

Name for this SSO payload. Any string can be given here

PayloadVersion

Do not modify this string. Leave it as it is

PayloadUUID

This should be a unique id which can be generated from the following website

This configuration profile must be modified carefully before deploying since this is the single source which tells iOS how and when to append the Kerberos service ticket. Utmost care should be taken while providing values for Name, PrincipalName, Realm and URLPrefixMatches.

Configuring the Import Connection Server

SSO connections in SAP BusinessObjects Mobile can be setup only using Import server URL. Following connection configuration need to be done on MOBI configuration server (MOBIServer) in the server.properties file.

SSO_Kerberos.DisplayName – This can be any string which will be your connection name

SSO_Kerberos.BOBJ_MOBILE_URL – This is the mobile server url. The url given here and the url given in the URLPrefixMatches of the iOS configuration profile prescribed in the previous section must be the same. (URL’s should be FQDN*)

SSO_Kerberos.BOBJ_MOBILE_CMS – This should be CMS cluster name or FQDN hostname running the BI Platform CMS.

SSO_Kerberos.BOBJ_MOBILE_SSO_ENABLED – Do not change the value! Let it be true

SSO_Kerberos.BOBJ_MOBILE_SSO_TYPE– Do not change the value. Let it be kerberos.

Configuring the Mobile Server

Last but not the least the mobile server must be enabled for kerberos based authentication. You will be required to carry the following three steps in order

*Stop tomcat server

*Modify sso.properties, authscheme.properties and web.xml

*Clean start tomcat server.

Let us see the changes to be made for the three files mentioned above.

Changes for sso.properties

Uncomment default.cms.identifier and assign it the value 1

Uncomment aliases and give it the value which you gave for SSO_Kerberos.BOBJ_MOBILE_CMS described in the previous section.

Uncomment authentication.scheme and assign it the value KERBEROS.

Changes for authscheme.properties

Uncomment the KERBEROS property as highlighted in the above image.

Configuring web.xml

Replace the Web.xml which exists in MobileBIService with the attached web.xml file! ( Make sure you pick the right XML which is suitable for you. We have one for 4.1 and one for 4.2) A few parameters mentioned below should be provided with values which are specific to your environment.

The values for each of these keys can be found in global.properties which would be created when setting up BI Platform with kerberos. global.properties can be found under installation folder\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties.Note: If you have made the changes described in the first section of the blog to enable Constrained Credential Delegation then you must add the following configuration to the web.xml as well to make sure mobile server can work with your WinAD machine.

If you have installed the Lumira 2.0 add on then we need a few more modifications to the attached web.xml (Irrespective of whether the xml is for 4.1 or 4.2)

Find the line “<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyZenServlet</servlet-class>” and replace with “<servlet-class>com.businessobjects.lumirastudio.mobi.ZenMobiServlet</servlet-class>“

Find the line “<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyUI5ResourceServlet</servlet-class>” and replace with “<servlet-class>com.businessobjects.lumirastudio.mobi.ZenUI5ResourceProxyServlet</servlet-class>“

Add the following at the end of the xml file just before the </web-app> tag

You get a popup initially where you will have to enter the Win AD password to get the service token. After this the subsequent logins will happen without any pop un until the obtained service token expires.

Adding to Pavan’s reply, Kerberos tokens in iOS devices are inter-operable between apps, which means Say for App-1 having kerberos auth enabled, you have already signed in and if the kerberos token is still valid(Whatever ben set by Admin on WinAD) , the same token can be used in App-2 but this time, its a direct SSO without Auth challenge. That;s the beauty of Kerberos and well implemented in iOS and apps consumption.

However it is very disappointing to see that users get a pop up 10 hours after the initial log in (due to the expiration of the obtained service token) and they need to enter their Win AD password again in their iPads. This expiration time for service tokens normally is a corporate global policy setting and cannot be changed easily due to security reasons.

This solution would work if SAP BI Mobile stored the initial password and re-used for token renewal. This way users should enter their passwords once and maximum every 3 months when they changed, but not every day.

Would there be a setting for this or is there any solution for not having to re-type passwords every day?